Why cant a URL be used directly in a policy?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Why cant a URL be used directly in a policy?

L0 Member

Hi, 

I understand that to block an individual URL it has to be in a custom category before it can be used in a policy as a destination. For my own education and curiosity, my question is why must it be in a category? What is the processing logic in the firewall that makes this a requirement?

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@ABurger,

It would be drastically more resource intensive to check the rulebase against a single URL versus the category. On the backend PAN would have to convert every URL entry utilized in the security rulebase (or every group of URLs used in a security rulebase entry) to it's own individual category. Then you'd have to deal with the fact that URL Filtering profiles exist and wouldn't have a defined action for the dynamic category that it's creating, so it would have to assume intent (IE: If the security entry allows access to a URL, do they default to that being a category action of "allow" or "alert"?). What about credential enforcement action? This is also all negating any platform limits and the fact that any VSYS can only ever have 500 custom categories.

 

In short, it's resource intensive and doing so isn't conducive to properly following assigned profiles if it's dynamically building categories on the backend to keep overhead to a minimum. They'd need to not only give you the ability to dynamically build categories if you specified URLs in an entry, but they would also need to allow you to set URL Filtering behavior for those categories and dynamically build out additional profiles for each new entry as well.

That would be an incredible amount of management overhead when building the running-config and would put people much closer to running into platform limitations because of the processing overhead. 

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@ABurger,

It would be drastically more resource intensive to check the rulebase against a single URL versus the category. On the backend PAN would have to convert every URL entry utilized in the security rulebase (or every group of URLs used in a security rulebase entry) to it's own individual category. Then you'd have to deal with the fact that URL Filtering profiles exist and wouldn't have a defined action for the dynamic category that it's creating, so it would have to assume intent (IE: If the security entry allows access to a URL, do they default to that being a category action of "allow" or "alert"?). What about credential enforcement action? This is also all negating any platform limits and the fact that any VSYS can only ever have 500 custom categories.

 

In short, it's resource intensive and doing so isn't conducive to properly following assigned profiles if it's dynamically building categories on the backend to keep overhead to a minimum. They'd need to not only give you the ability to dynamically build categories if you specified URLs in an entry, but they would also need to allow you to set URL Filtering behavior for those categories and dynamically build out additional profiles for each new entry as well.

That would be an incredible amount of management overhead when building the running-config and would put people much closer to running into platform limitations because of the processing overhead. 

L0 Member

That makes sense, thank you very much!

  • 1 accepted solution
  • 1057 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!